Application Security Terminology

Glossary

HttpOnly Session Cookie

HttpOnly Session Cookie describes an attack that takes advantage of those situations where the HttpOnly flag has not been turned on. The HttpOnly flag is an additional flag included in a Set-Cookie HTTP response header. It is used to prevent a Cross-Site Scripting exploit from gaining access to the session cookie and hijacking the victim’s session. The HttpOnly flag is a useful prevention mechanism, as it instructs the user-agent to restrict access to the cookie only for use with HTTP messages.

Using the HttpOnly flag when generating a cookie helps mitigate the risk of a client-side script accessing the protected cookie (if the browser supports it). If the HttpOnly flag (optional) is included in the HTTP response header, the cookie cannot be accessed through a client-side script (again if the browser supports this flag). As a result, even if an XSS flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser will not reveal the cookie to a third party.